The January 25, 2017 order entitled “Enhancing Public Safety in the Interior of the United States” raised alarms as to whether the US president’s order would undermine the EU-U.S. Privacy Shield , the self-certification process by which personal data can be safely transferred from the European Union to the United States ( in force since August 1, 2016). This concern is unfounded ( at least as today) .

 

The US Executive Order

Section 14 of the order seeks to exclude non US residents/ citizens from protections under the Privacy Act of 1974.

The section provides, in its entirety:

« Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. »

 

The Order does not annul the validity of the Privacy Shield provisions.The Privacy Shield is largely directed to private corporations and other similar organisations, whereas the Privacy Act is directed to US federal agencies.

There are three reasons :

First, executive orders must work within laws enacted by Congress and cannot undo or contravene those laws. If individuals – citizens or non-citizens – are granted certain rights by statute, the US executive is submitted to follow the statute and cannot simply take away those rights. This is implicitly recognized in the Order, including Section 14, as actions are to be taken “to the extent consistent with” or “to the extent permitted by” applicable law.

Second, the Privacy Act establishes requirements for the collection and maintaining of information about individuals, restricts disclosure of such information and grants certain rights, e.g., of access and amendment, to individuals regarding information about them. Remedies established under the Privacy Act have been extended to EU citizens through the Judicial Redress Act of 2015 in order to implement the Privacy Shield. The Order of January 25, 2017 does not address the Judicial Redress Act and thus does not undo the availability of those remedies.

Third, the Privacy Shield is in large part directed towards private entities – corporations and other organizations subject to US FTC jurisdiction. US Companies voluntarily opt for the Privacy Shield by agreeing to adhere to a set of principles that ensure safeguards and proper treatment for personal data transferred from the EU, as well as means of redress available to individuals in the EU. The Order does not change obligations under the Privacy Shield for US companies that have volunteered to participate in the program and comply with its data protection requirements. US companies that elected to join the Privacy Shield must continue to follow the Privacy Shield Framework in order to maintain its benefit as a means of transferring personal data from the EU to the US.

It is remains though prudent to monitor US executive actions moving forward to see how the Order is implemented, as well as any changes to agency interpretations of existing laws and US surveillance policies will evolve.

On its part the European Commission clarified in a statement that the Privacy Shield is implemented through the EU-U.S. Data Protection and Privacy Agreement (referred to as the “Umbrella Agreement”) and the Judicial Redress Act. The Commission also noted that the Privacy Shield “does not rely on the protections under the Privacy Act.”

EU (with US affiliated) companies that handle personal data are highly recommended to review their data collection and handling policies and be ready to respond to US agency requests. EU Standard clauses remain ( until today) a supplementary , though relatively